Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces.
• To bring down an interface that is administratively up • To add interfaces to a zone
• To add an interface to a virtual domain
• To change the static IP address of an interface • To configure an interface for DHCP
• To configure an interface for PPPoE • To add a secondary IP address
• To configure support for dynamic DNS services • To add a ping server to an interface
• To control administrative access to an interface
• To change the MTU size of the packets leaving an interface • To configure traffic logging for connections to an interface
To add a VLAN subinterface
See “To add a VLAN subinterface in NAT/Route mode” on page 74.
Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
System Network Interface
To bring down an interface that is administratively up
You can bring down physical interfaces or VLAN subinterfaces. Bringing down a physical interface also brings down the VLAN subinterfaces associated with it.
1 Go to System > Network > Interface. The interface list is displayed.
2 Select Bring Down for the interface that you want to stop.
To start up an interface that is administratively down
You can start up physical interfaces and VLAN subinterfaces. Starting a physical interface does not start the VLAN subinterfaces added to it.
1 Go to System > Network > Interface. The interface list is displayed.
2 Select Bring Up for the interface that you want to start.
To add interfaces to a zone
If you have added zones to the FortiGate unit, you can use this procedure to add interfaces or VLAN subinterfaces to the zone. To add a zone, see “To add a zone” on page 68. You cannot add an interface to a zone if you have added firewall policies for the interface. Delete firewall policies for the interface and then add the interface to the zone.
1 Go to System > Network > Zone.
2 Choose the zone to add the interface or VLAN subinterface to and select Edit.
3 Select the names of the interfaces or VLAN subinterfaces to add to the zone.
4 Select OK to save the changes.
To add an interface to a virtual domain
If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, see “To add a virtual domain” on page 147. You cannot add an interface to a virtual domain if you have added firewall policies for the interface. Delete firewall policies for the interface and then add the interface to the virtual domain.
1 Go to System > Network > Interface.
2 Choose the interface or VLAN subinterface to add to a virtual domain and select Edit.
3 From the Virtual Domain list, select the virtual domain that you want to add the interface to.
4 Select OK to save the changes.
5 Repeat these steps to add more interfaces or VLAN subinterfaces to virtual domains.
To change the static IP address of an interface
You can change the static IP address of any FortiGate interface.
3 Set Addressing Mode to Manual.
4 Change the IP address and Netmask as required.
5 Select OK to save your changes.
If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address.
To configure an interface for DHCP
You can configure any FortiGate interface to use DHCP.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 In the Addressing Mode section, select DHCP.
4 Select the Retrieve default gateway and DNS from server check box if you want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server.
5 Select the Connect to Server check box if you want the FortiGate unit to connect to the DHCP server.
6 Select Apply.
The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address, netmask, and optionally the default gateway IP address, and DNS server IP addresses.
7 Select Status to refresh the addressing mode status message.
8 Select OK.
To configure an interface for PPPoE
Use this procedure to configure any FortiGate interface to use PPPoE. See “PPPoE” on page 59 for information on PPPoE settings.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 Enter an Unnumbered IP if required by your PPPoE service.
6 Set the Initial Disc Timeout and Initial PADT Timeout if supported by your ISP.
7 Select the Retrieve default gateway from server check box if you want the FortiGate unit to obtain a default gateway IP address from the PPPoE server.
8 Select the Override Internal DNS check box if you want the FortiGate unit to obtain a DNS server IP address from the PPPoE server.
System Network Interface
10 Select Apply.
The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, and optionally default gateway IP address and DNS server IP addresses.
11 Select Status to refresh the addressing mode status message.
12 Select OK.
To add a secondary IP address
You can use the CLI to add a secondary IP address to any FortiGate interface. The secondary IP address cannot be on the same subnet as the primary interface, any other interface or any other secondary IP address.
From the FortiGate CLI, enter the following commands:
config system interface edit <intf_str>
config secondaryip edit 0
set ip <second_ip> <netmask_ip>
Optionally, you can also configure management access and add a ping server to the secondary IP address:
set allowaccess ping https ssh snmp http telnet set gwdetect enable
Save the changes:
end
To configure support for dynamic DNS services 1 Go to System > Network > Interface.
2 Select the interface to the Internet and then select Edit.
3 Select DDNS Enable.
4 From the Server list, select one of the supported dynamic DNS services.
5 In the Domain field, type the fully qualified domain name of the FortiGate unit.
6 In the Username field, type the user name that the FortiGate unit must send when it connects to the dynamic DNS server.
7 In the Password field, type the associated password.
8 Select OK.
To add a ping server to an interface 1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
5 Select OK to save the changes.
To control administrative access to an interface
For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect.
Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: • Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeout from the default value of 5 minutes (see “To
set the system idle timeout” on page 91).
To configure administrative access in Transparent mode, see “To configure the management interface” on page 69.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select the Administrative Access methods for the interface.
4 Select OK to save the changes.
To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select Override default MTU value (1500).
4 Set the MTU size.
To configure traffic logging for connections to an interface 1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface.
4 Select OK to save the changes.
Note: You cannot set the MTU of a VLAN larger than the MTU of its physical interface. Nor can you set the MTU of a physical interface smaller than the MTU of any VLAN on that interface.
System Network Zone